We have a file beat 7.14.2 installed to receive logs from 45 palolato firewalls, the panw module is enabled to listen on udp and send all data to elastic directly. after this set up we noticed a significant amount of volume missing from the logs in elastic. we use a legacy environment to gauge the log ingestion and volume and we see degradation in significant numbers. any idea why this would happen?
Hi @alvaro.cabrera Welcome to the community.
This could happen for a number of reasons...
Do you have a sense of the total number of events / min or seconds?
It looks like perhaps you may be trying to use a single Filebeat to listen to 45 PANW firewalls, I suspect that could be at least one of the the issues.
For large scale consumption this is a common architecture pattern
Many PANW -> Load Balancer (UDP / TPC) -> N number of Hosts / Containers with Filebeat
Also if the Elasticsearch cluster is not sized properly etc that could be an issue.
What is the basic configuration of you cluster?
How many Nodes, What RAM / CPU / Disk Type etc.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.